research-article

ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads

Authors:

Christian Seifert,

Jack W. Stokes,

Wenke LeeAuthors Info & Claims

WWW '11: Proceedings of the 20th international conference on World wide web

Pages 187 - 196

https://doi.org/10.1145/1963405.1963435

Published: 28 March 2011 Publication History

Abstract

A drive-by download attack occurs when a user visits a webpage which attempts to automatically download malware without the user's consent. Attackers sometimes use a malware distribution network (MDN) to manage a large number of malicious webpages, exploits, and malware executables. In this paper, we provide a new method to determine these MDNs from the secondary URLs and redirect chains recorded by a high-interaction client honeypot. In addition, we propose a novel drive-by download detection method. Instead of depending on the malicious content used by previous methods, our algorithm first identifies and then leverages the URLs of the MDN's central servers, where a central server is a common server shared by a large percentage of the drive-by download attacks in the same MDN. A set of regular expression-based signatures are then generated based on the URLs of each central server. This method allows additional malicious webpages to be identified which launched but failed to execute a successful drive-by download attack. The new drive-by detection system named ARROW has been implemented, and we provide a large-scale evaluation on the output of a production drive-by detection system. The experimental results demonstrate the effectiveness of our method, where the detection coverage has been boosted by 96% with an extremely low false positive rate.

References

[1]

Hackers use twitter api to trigger malicious scripts. http://blog.unmaskparasites.com/2009/11/11/hackers-use-twitter-api-to-trigger-malicious-scripts/, 2009.

[2]

A. Moshchuk, T. Bragin, S. D. Gribble, and H. M. Levy. A crawler-based study of spyware on the web. In Proc. NDSS, 2006.

[3]

C. Seifert and R. Steenson. Capture - honeypot client (capture-hpc). https://projects.honeynet.org/capture-hpc, 2006.

[4]

C. Seifert, I. Welch and P. Komisarczuk. Honeyc - the low-interaction client honeypot. In Proc. NZCSRCS, 2007.

[5]

C. Seifert, R. Steenson, T. Holz, B. Yuan and M. A. Davis. Know your enemy: Malicious web servers. http://www.honeynet.org/papers/mws/, 2007.

[6]

J. Nazario. Phoneyc: A virtual client honeypot. In Proc. LEET, 2009.

Digital Library

[7]

J. Newsome, B. Karp and D. Song. Polygraph: automatically generating signatures for polymorphic worms. In Proc. IEEE Symposium on Security and Privacy, 2005.

Digital Library

[8]

J. W. Stokes, R. Andersen, C. Seifert and K. Chellapilla. Webcop: Locating neighborhoods of malware on the web. In Proc. USENIX LEET, 2010.

Digital Library

[9]

L. Lu, V. Yegneswaran, P. Porras and W. Lee. Blade: An attack-agnostic approach for preventing drive-by malware infections. In Proc. ACM CCS, 2010.

Digital Library

[10]

M. Cova, C. Kruegel and G. Vigna. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proc. WWW, 2010.

Digital Library

[11]

Michael Bailey, Jon Oberheide, Jon Andersen, Z. Morley Mao, Farnam Jahanian and Jose Nazario. Automated classification and analysis of internet malware. In Proc. RAID, 2007.

Digital Library

[12]

N. Provos, P. Mavrommatis, M. Abu Rajab and F. Monrose. All your iframes points to us. In Proc. USENIX SECURITY, 2008.

Digital Library

[13]

R. Perdisci, I. Corona, D. Dagon and W. Lee. Detecting malicious flux service networks through passive analysis of recursive dns traces. In Proc. ACSAC, 2009.

Digital Library

[14]

R. Perdisci, W. Lee and N. Feamster. Behavioral clustering of http-based malware and signature generation using malicious network traces. In Proc. NSDI, 2010.

Digital Library

[15]

S. Singh, C. Estan, G. Varghese and S. Savage. Automated worm fingerprinting. In Proc. USENIX OSDI, 2004.

Digital Library

[16]

T. Holz, C. Gorecki, K. Rieck, F. C. Freiling. Measuring and detecting fast-flux service networks. In Proc. NDSS, 2008.

[17]

The Honeynet Project. Know your enemy: Fast-flux service networks; an ever changing enemy. http://www.honeynet.org/papers/ff/, 2007.

[18]

U. Bayer, P. Milani, C. Hlauschek, C. Kruegel and E. Kirda. Scalable, behavior-based malware clustering. In Proc. NDSS, 2009.

[19]

V. Yegneswaran, J. T. Giffin, P. Barford and S. Jha. An architecture for generating semantics-aware signatures. In Proc. USENIX SECURITY, 2005.

Digital Library

[20]

Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen and S. King. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proc. NDSS, 2006.

[21]

Y. Xie, F. Yu, K. Achan, R. Panigraphy, G. Hulten and I. Osipkov. Spamming botnets: Signatures and characteristics. In Proc. ACM SIGCOMM, 2008.

Digital Library

[22]

Z. Li, M. Sanghi, B. Chavez, Y. Chen and M. Kao. Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In Proc. IEEE Symposium on Security and Privacy, 2006.

Digital Library

Cited By

Zhang POest ACho HSun ZJohnson RWardman BSarker SKapravelos ABao TWang RShoshitaishvili YDoupé AAhn G(2021)CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00021(1109-1124)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00021
Pletinckx SJansen GBrussen Avan Wegberg R(2021)Cash for the Register? Capturing Rationales of Early COVID-19 Domain Registrations at Internet-scale2021 12th International Conference on Information and Communication Systems (ICICS)10.1109/ICICS52457.2021.9464572(41-48)Online publication date: 24-May-2021
https://doi.org/10.1109/ICICS52457.2021.9464572
de Almeida Farzat Ade Oliveira Barros M(2021)Automatic generation of regular expressions for the Regex Golf challenge using a local search algorithmGenetic Programming and Evolvable Machines10.1007/s10710-021-09411-x23:1(105-131)Online publication date: 1-Oct-2021
https://doi.org/10.1007/s10710-021-09411-x
Show More Cited By

Index Terms

ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

BLADE: an attack-agnostic approach for preventing drive-by malware infections
CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

Web-based surreptitious malware infections (i.e., drive-by downloads) have become the primary method used to deliver malicious software onto computers across the Internet. To address this threat, we present a browser independent operating system kernel ...
Detecting malicious landing pages in Malware Distribution Networks
DSN '13: Proceedings of the 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

Drive-by download attacks attempt to compromise a victim's computer through browser vulnerabilities. Often they are launched from Malware Distribution Networks (MDNs) consisting of landing pages to attract traffic, intermediate redirection servers, and ...
Spamming botnets: signatures and characteristics

In this paper, we focus on characterizing spamming botnets by leveraging both spam payload and spam server traffic properties. Towards this goal, we developed a spam signature generation framework called AutoRE to detect botnet-based spam emails and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

WWW '11: Proceedings of the 20th international conference on World wide web

March 2011

840 pages

ISBN:9781450306324

DOI:10.1145/1963405

General Chairs:
S. Sadagopan
IIIT-Bangalore, India
,
Krithi Ramamritham
IIT-Bombay, India
,
Arun Kumar
IBM Research, India
,
M. P. Ravindra
Infosys E & R, India
,
Program Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Kumar
Yahoo! Research, USA

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web
The International Institute of Information Technology Bangalore: The International Institute of Information Technology Bangalore

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 March 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WWW '11

WWW '11: 20th International World Wide Web Conference

March 28 - April 1, 2011

Hyderabad, India

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

61
Total Citations
View Citations
701
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)6

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang POest ACho HSun ZJohnson RWardman BSarker SKapravelos ABao TWang RShoshitaishvili YDoupé AAhn G(2021)CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00021(1109-1124)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00021
Pletinckx SJansen GBrussen Avan Wegberg R(2021)Cash for the Register? Capturing Rationales of Early COVID-19 Domain Registrations at Internet-scale2021 12th International Conference on Information and Communication Systems (ICICS)10.1109/ICICS52457.2021.9464572(41-48)Online publication date: 24-May-2021
https://doi.org/10.1109/ICICS52457.2021.9464572
de Almeida Farzat Ade Oliveira Barros M(2021)Automatic generation of regular expressions for the Regex Golf challenge using a local search algorithmGenetic Programming and Evolvable Machines10.1007/s10710-021-09411-x23:1(105-131)Online publication date: 1-Oct-2021
https://doi.org/10.1007/s10710-021-09411-x
Koop MTews EKatzenbeisser S(2020)In-Depth Evaluation of Redirect Tracking and Link UsageProceedings on Privacy Enhancing Technologies10.2478/popets-2020-00792020:4(394-413)Online publication date: 17-Aug-2020
https://doi.org/10.2478/popets-2020-0079
Vyawahare MChatterjee M(2020)Survey on Detection and Prediction Techniques of Drive-by Download Attack in OSNAdvanced Computing Technologies and Applications10.1007/978-981-15-3242-9_42(453-463)Online publication date: 7-May-2020
https://doi.org/10.1007/978-981-15-3242-9_42
Padmanabhan SMaramreddy PCyriac M(2020)Spam Detection in Link Shortening Web Services Through Social Network Data AnalysisData Engineering and Communication Technology10.1007/978-981-15-1097-7_9(103-118)Online publication date: 9-Jan-2020
https://doi.org/10.1007/978-981-15-1097-7_9
Cai YAndre Morales JSun G(2020)Cyber Attribution from Topological PatternsComputational Science – ICCS 202010.1007/978-3-030-50433-5_5(58-71)Online publication date: 15-Jun-2020
https://doi.org/10.1007/978-3-030-50433-5_5
Kaneko SYamada ASawaya YThao TKubota AOmote K(2020)Detecting Malicious Websites by Query TemplatesInnovative Security Solutions for Information Technology and Communications10.1007/978-3-030-41025-4_5(65-77)Online publication date: 28-Feb-2020
https://doi.org/10.1007/978-3-030-41025-4_5
NAGAI TKAMIZONO MSHIRAISHI YXIA KMOHRI MTAKANO YMORII M(2019)A Malicious Web Site Identification Technique Using Web Structure ClusteringIEICE Transactions on Information and Systems10.1587/transinf.2018OFP0010E102.D:9(1665-1672)Online publication date: 1-Sep-2019
https://doi.org/10.1587/transinf.2018OFP0010
SHIBAHARA TTAKATA YAKIYAMA MYAGI THATO KMURATA M(2019)Evasive Malicious Website Detection by Leveraging Redirection Subgraph SimilaritiesIEICE Transactions on Information and Systems10.1587/transinf.2018FCP0007E102.D:3(430-443)Online publication date: 1-Mar-2019
https://doi.org/10.1587/transinf.2018FCP0007
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents